b"  OFFICE OF THE INSPECTOR GENERAL\n\n\n\n\n           EVALUATION OF THE\nU.S. INTERNATIONAL TRADE COMMISSION\xe2\x80\x99S\nFISCAL YEAR 2007 INFORMATION SECURITY\n        PROGRAM AND PRACTICES\n\n\n            AUDIT REPORT\n            OIG-AR-04-07\n\n\n\n\n                                  October 1, 2007\n\x0cOFFICE OF INSPECTOR GENERAL\n\n\n\n\n           UNITED STATES INTERNATIONAL TRADE COMMISSION\n\n                                     WASHINGTON, DC 20436\n\nOctober 1, 2007                                                                           IG-EE-023\n\nMEMORANDUM\n\nTO:        THE COMMISSION\n\nWe hereby submit Audit Report OIG-AR-04-07, Evaluation of the U.S. International Trade\nCommission\xe2\x80\x99s Fiscal Year 2007 Information Security Program and Practices. We conducted an\nindependent evaluation of the Commission\xe2\x80\x99s information security program and practices to\ndetermine if the Commission: (1) implemented appropriate actions to correct weaknesses\nidentified in prior-year OIG FISMA audit reports; and (2) met Federal Information Security\nManagement Act criteria.\n\nWe found the Commission made some progress in strengthening its information technology\nsecurity program during the 2007 fiscal year. The Commission fully implemented 2 of the 12\nprior-year recommendations, leaving 10 with further action required. This review did not address\nthe status of four additional FISMA prior-year recommendations pertaining to our technical\nreview of the ITC-Net. The results of that review were reported on June 5, 2007 in audit report\nEvaluation of the U.S. International Trade Commission's Fiscal Year 2006 Network Security\nControls Audit Report (OIG-AR-03-07).\n\nIn addition to the ten open prior-year recommendations, this report identifies five new\nweaknesses. These weaknesses relate to:\n\n      1.   Administration of the Plans of Action and Milestones\n      2.   Compliance with E-Authentication risk assessment requirements\n      3.   Annual security controls testing and evaluating\n      4.   Security awareness training for new employees and contractors\n      5.   Implementation of required minimum security controls\n\nOn receiving the Commission\xe2\x80\x99s strong disagreement with our interpretation of the requirements\nrelated to E-Authentication risk assessments, we requested OMB to provide further guidance on\nthe requirement. As of the date of this report, we have not received that guidance. Therefore, we\nare putting our finding and two recommendations related to E-Authentication risk assessments on\nhold until we discuss this issue with OMB. A discussion on compliance with E-Authentication\nrisk assessment requirements is presented in Section B of this report along with management\xe2\x80\x99s\ncomments.\n\nWe made seven new recommendations to improve the Commission\xe2\x80\x99s IT security. The\nCommission did not agree with two recommendations. Additionally, for four of five agreed upon\nrecommendations, the Commission did not provide planned actions to correct the weaknesses.\n\x0cThe OIG stands by its findings and encourages prompt action towards implementing the\nrecommendations in this report.\n\nWe incorporated the response in the body of this report and included it in detail as Appendix C.\n\n\n\n\n                                                                 Jean Smith\n                                                                 Acting Inspector General\n\n\nCC:     Cotton & Company LLP\n\n\n\nDue to the sensitive nature of the information contained in our report, we\nhave limited distribution of the report.\n\x0c"